Neutrino modification for POS-terminalsFrom time to time authors of effective and long-lived Trojans and viruses create new modifications and forks of them, like any other software authors. One of the brightest examples amongst them is Zeus (Trojan-Spy.Win32.Zbot, based on classification of “Kaspersky Lab”), which continues to spawn new modifications of itself each year. In a strange way this malware becomes similar to his prototype from Greek mythology. We can also attribute such malware familes as Mirai, NJRat, Andromeda and so on to this “prolific” group. Malware named “Neutrino” takes an important place in this row of well-known trojans, providing various types of infection, spreading and a useful payload.
In this article we analyze a very special species – a variant which could collect credit card information from POS.
Products of “Kaspersky Lab” detect it as Trojan-Banker.Win32.NeutrinoPOS
MD5 of descripted file: 0CF70BCCFFD1D2B2C9D000DE496D34A1
First stage
The Trojan takes a long “sleep” before it starts. It seems that such code was added to fool some AV sandboxes. To determine the period of delay, the Trojan uses a pseudorandom number generator.
Neutrino modification for POS-terminals
C&C Communication
At the next stage, the Trojan extracts a C&C-address list from its body. The list is encoded at Base64. After decoding, the Trojan tries to find a working C&C, using the following algorithm:

Sends POST-request to server, passing through its body encoding in base64 string “enter” (ZW50ZXI=). All encoded strings contains prefix “_wv=”Neutrino modification for POS-terminals
Working server responds with 404 page, which contains at the end of it encoded string c3VjY2Vzcw== (success). In case of “success”, the rTojan marks the address of the used servers as working.Neutrino modification for POS-terminals

We should also notice that in the header of each POST-request there is “auth” field, which stays the same for each sample from family NeutrinoPOS.
Neutrino modification for POS-terminalsRestored code of C&C-server check
 
The C&C address stored at registry branch HKCR\Sofrware\alFSVWJBis the same as other variables and data usedby NeutrinoPOS sample. Branch name differs from the one described here, but after full comparison of both samples, we can claim that both samples are the same modification of Neutrino.
C&C Commands
The described variant contains listed functions:

Download and start file;
Make screenshot;
Search process by name;
Change register branches;
Search file by name on infected host and send it to C&C;
Proxy

The server sends commands in plain view, like “PROXY”, “screenshot” and so on, encoded in base64. Following analysis we can claim that in the current versions of Neutrino there is no functions for DDOS attacks.
Neutrino modification for POS-terminalsImplementation of command control sum calculating
 
Examples of few commands (marked with red line on screenshot above):

Rolxor(“PROXY”) = 0xA53EC5C
Rolxor(“screenshot”) = 0xD9FA0E3

Neutrino modification for POS-terminalsNeutrinoPOS command handler
 
Stealing of credit cards
The algorithm for stealing credit card information is implemented in the Trojan in quite a simple way and described as follows:

The Trojans start to work through currently running processes, using CreateToolhelp32Snapshot\ Process32FirstW\Process32NextW.Neutrino modification for POS-terminals
Using OpenProcess\VirtualQuery\ReadProcessMemory, the Trojan gets information about the memory pages of the process.Neutrino modification for POS-terminals
The Trojan scans the memory pages for string “Track1”, which marks fields of the first track of the magnetic card. All described fields going one by one:

Sequence of symbols in range from ‘0’ to ‘9’ with length equal to 15, 16 or 19. Sequence checking with Luhn algorithm.
Neutrino modification for POS-terminals
Check presence of separation symbol ‘^’ in next and previous fields.
Extract card holder name, with max length, basing on ISO/IEC 7813, equal to 26 symbols:
Rest data (CVC32, expiration date, CVV) extracts as whole block, with check of length and content :

Collected data sends to server with mark “Track1”.
After that, the Trojan starts to extracts next fields with mark “Track2” at the beginning:

At firsts, it extracts PAN with the same checks as on the previous stage.
As separation symbol using ” ‘ ” or ‘D’
Track2 doesn’t contains card holder name — rest data extracts as whole block

Collected data sent to server with mark “Track2”

Distribution Statistics
The largest areas of infection are Russia and Kazakhstan. Nearly 10% of infected computers belong to small business corporate customers.

Conclusion
As we can see from the described Trojan Neutrino, despite belonging to an old, well-known and researched family, it continues to bring various surprises to malware analysts and researchers in the form of atypical functionality or application. We can see the same situation with Mirai forks, for example, which generate an enormous count across all platforms and in different species
Generally speaking, all publications of malware source code with good architecture and various functionality will cause interest and attention from malware authors, who will try to use it for nearly all possible ways of illegal money gain. We can assume that right now there may already be new modifications of Neutrino with functionality for crypto-currency mining.
MD5
CECBED938B10A6EEEA21EAF390C149C1
66DFBA01AE6E3AFE914F649E908E9457
4DB70AE71452647E87380786E065F31E
9D70C5CDEDA945CE0F21E76363FE13C5
B682DA77708EE148B914AAEC6F5868E1
5AA0ADBD3D2B98700B51FAFA6DBB43FD
A03BA88F5D70092BE64C8787E7BC47DE
D18ACF99F965D6955E2236645B32C491
3B6211E898B753805581BB41FB483C48
7D28D392BED02F17094929F8EE84234A
C2814C3A0ACB1D87321F9ECFCC54E18C
74404316D9BAB5FF2D3E87CA97DB5F0C
7C6FF28E0C882286FBBC40F27B6AD248
729C89CB125DF6B13FA2666296D11B5A
855D3324F26BE1E3E3F791C29FB06085
2344098C7FA4F859BE1426CE2AD7AE8E
C330C636DE75832B4EC78068BCF0B126
CCBDB9F4561F9565F049E43BEF3E422F
53C557A8BAC43F47F0DEE30FFFE88673
C&C
hxxp://pranavida.cl/director/tasks.php
hxxps://5.101.4.41/panel/tasks.php
hxxps://5.101.4.41/updatepanel/tasks.php
hxxp://jkentnew.5gbfree.com/p/tasks.php
hxxp://124.217.247.72/tasks.php
hxxp://combee84.com/js/css/tasks.php
hxxp://nut29.xsayeszhaifa.bit/newfiz29/logout.php
hxxp://nut29.nsbacknutdoms11war.com/newfiz29/logout.php
hxxp://jbbrother.com/jbb/meaca/obc/pn/tasks.php
hxxp://ns1.posnxqmp.ru/PANEL/tasks.php
hxxp://nut25.nsbacknutdoms11war.com/newfiz25/logout.php
hxxp://propertiesofseyshellseden.com/newfiz21/logout.php
hxxp://n31.propertiesofseyshellseden.com/newfiz31/logout.php
hxxp://propertiesofseyshellseden.com/newfiz21/logout.php
hxxp://n31.propertiesofseyshellseden.com/newfiz31/logout.php

Leave a Reply